A technique that threat actors first used some 20 years ago to trick users into executing malicious files appears to be making a comeback.
Security vendor Vade on Tuesday said its researchers had spotted more than 400 attacks in the past two weeks employing the method — called right-to-left override (RLO) — in a phishing campaign targeting Microsoft 365 users. Just two out of 58 malware detection tools on VirusTotal were able to detect the threat, Vade said.
In an RLO attack, adversaries take advantage of a specific non-printing Unicode character, [U+202e], to disguise extensions so users get tricked into executing malicious files. U+202e is an RLO Unicode character that, when used before a particular word or piece of text, changes all subsequent text to be displayed right-to-left, as is needed to support Hebrew and Arabic languages. For example, when the character is used before the word "Vade," the text would be displayed as "edaV."
In the past, attackers have taken advantage of the Unicode character to disguise executable files. Vade pointed to how attackers would use U+202e in an executable file like "abctxt.exe," for example, so it would appear as the more benign looking "abcexe.txt." To achieve this, Vade said, the adversary would only need to insert U+202e into the string this way: "abc [U+202e] txt.exe"
Over the years, attacker interest in the technique waned as detection mechanisms improved. But in recent months, some adversaries have begun reusing the technique. Last August, the Health Information Sharing and Analysis Center (H-ISAC) issued an advisory warning about threat actors using the right-to-left-override character to obfuscate malicious files and deliver the Cobalt Strike toolkit on systems belonging to organizations in the healthcare sector.
"Modifying and improving old techniques to adapt to today's environments is common among attackers, who are always looking for new ways to break through," says Adrien Gendre, chief technology and product officer as well as co-founder of Vade.
In the campaign that the security vendor recently observed, adversaries employed the RLO technique to try to trick email recipients into believing they were opening an audio file when clicking on the file actually took them to a credential phishing site instead.
For the scam, the attackers sent Microsoft 365 users an email notification inviting them to access an attached voicemail file. The email subject contained the recipient's actual name, and other aspects of the email looked genuine as well, such as the date and time. The attached file, too, ended with either an ".mp3" or a ".wav" file extension, which is what a user would normally expect with an audio file. However, clicking on it would only lead the user to an apparent Microsoft login page that sought to make the user enter their password.
"Previous attacks popular in the '90s and early 2000s used RLO spoofing to conceal executable malware files," Gendre says. "The recent RLO campaign uses the technique to disguise an html file, which includes a link to a phishing page, as an MP3 file that the user believes is a voicemail message."
Few security tools were able to detect the scam because they are designed to scan for IP and domain reputations and known malware signatures. "[With] the recent attacks, the attachments do not include known malware code but instructions in the html file to open a phishing page," he notes.
More Trouble on the Horizon?
Vade's report points to another report that researchers at Cambridge University published last November about a vulnerability they discovered in the Unicode specification (CVE-2021-42574) that gives attackers a way to disguise and insert malicious code into software during the development phase. The vulnerability allows attackers to use certain Unicode characters, including the RLO (U+202e) character, to basically reorder code that would change its logic while still retaining visual and semantic correctness. "Adversaries can leverage this deception to commit vulnerabilities into code that will not be seen by human reviewers," the two Cambridge University researchers wrote.
"A developer with access to source code could encode source code with this technique," Gendre says. "Also, as we saw with the SolarWinds attack, it could come from outside the organization via a breach."
Another vulnerability in the Unicode specification that the researchers discovered (CVE-2021-42694) gives attackers a way to use characters that appear near identical to each other — or homoglyphs — to inject malicious code during software development, which is almost impossible to detect visually.
Gendre notes that one way organizations can mitigate risk from these vulnerabilities is to ban text directionality in compilers and language specifications.